Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Ways around putting a password in code

Tags:

c#

security

visual-studio-2008

I have a bit of code that needs to run with elevated privileges (more that I want the rest of my code running at).

I have my code that sets up the Impersonation working, but it requires a username, domain and password. As my code is in C#.net I know that the password can be found by anyone determined enough.

Is there a way to encrypt the password in my code? Or otherwise secure this password and still be able to pass it in?

Here is the code I am calling:

using (new Impersonator("UserNameGoesHere", "DomainNameGoesGere", "Password Goes Here"))
{
     uint output;
     NetUserAdd(AUTHENTICATION_SERVER, 1, ref userinfo, out output);
     return output;
}

I would love an example that shows how to fix this to not show my password in plain text.

I am using Visual Studio 2008, .NET 3.5 SP1, and running on Windows Server 2003.

like image 746
Vaccano Avatar asked Jul 31 '09 20:07

Vaccano

People also ask

How do you avoid passwords in source code?

A good approach is to not even store the password at all. Instead one should use so-called salt and hashing and only store the hash in a database. Of course make sure access to this DB is as limited as possible.

What method should be used to pass credentials into source code?

Hardcoded Passwords, also often referred to as Embedded Credentials, are plain text passwords or other secrets in source code. Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords and other secrets (SSH Keys, DevOps secrets, etc.) into the source code.

How is password sent to server?

When the user enters a password, this is sent over the network and hashed on the server using a copy of the same hashing function. The resulting hash is compared to the hash stored on the password server. Only if they match will the user be granted access.

1 Answers

Vaccano,

I would recommend investigating the data protection API (DPAPI) for what you're attempting to achieve. It is considered part of the solution in many best practice approaches to reversibly storing passwords needed by applications.

A good article discussing the DPAPI (and other techniques + concerns) can be found here:

http://msdn.microsoft.com/en-us/magazine/cc164054.aspx

With C# 2.0, P/Invoking isn't even required; managed wrappers exist:

http://blogs.freshlogicstudios.com/Posts/View.aspx?Id=41ca5a99-ddc0-4d0a-9919-2ce10bf50c7e

I hope this helps!

like image 187
Sean P. McDonough Avatar answered Nov 04 '22 15:11

Sean P. McDonough
Sign in to Comment

Related questions

Extending the list of supported image formats in GDI+
Coding Standard Wiki
How to set up a WCF client using wsDualHttpBinding in code?
Broken Mono C# code using System.Windows.Forms
Why would C# ProcessStartInfoRedirectStandardOutput cause xcopy process to fail
Why is ReflectionOnlyAssemblyResolve not executed when trying to Assembly.ReflectionOnlyLoad?
STEP/EXPRESS tools for .NET
Handling C# Properties that shouldn't be null
Watch control to determine events being fired?
How do I set up smtp on Vista so I can use System.Net.Mail?
Func<TObject, bool> or Predicate<TObject>?
How can I check for a running process per user session?
Where should I put the interfaces for MEF?
How can I use Expression Blend to edit a DataTemplate created in Visual Studio?
FxCop and GAC Madness
dynamic string formatting using string.format and List<T>.Count()
Setting Command Target in XAML
Using the Visual Studio designer - "Object reference not set to an instance of an object" (Visual Studio 2008)
simple rtsp broadcast example source
Where do I store additional user details using ASP.NET MVC and the SqlMembershipProvider?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!